Deepin2

**Name of the Vulnerable Software and Affected Versions** YOOtheme Pagekit versions 1.0.13 and earlier **Description** The issue allows a user to upload malicious code via the picture upload feature, specifically by uploading a photo in SVG format. This file is not stripped or filtered by the system. An attacker can create a link on the website pointing to "/storage/poc.svg" which triggers a XSS attack when clicked. **Recommendations** For YOOtheme Pagekit versions 1.0.13 and earlier, consider disabling the picture upload feature, especially for users with elevated privileges, until a fix is available. Restrict access to the "/storage/" directory to minimize the risk of exploitation. Avoid using the picture upload feature in SVG format until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Monstra CMS version 3.0.4 Description: The issue is related to a Stored XSS in the Name field on the Create New Page screen, accessible under the "admin/index.php?id=pages" URI, and is associated with the plugins/box/pages/pages.admin.php file. Recommendations: For Monstra CMS version 3.0.4, update to a version that fixes the Stored XSS issue in the Name field on the Create New Page screen. As a temporary workaround, consider restricting access to the "admin/index.php?id=pages" URI to minimize the risk of exploitation. Avoid using the Name field in the Create New Page screen until the issue is resolved.